Org debt compounds quietly. A neglected Salesforce org develops security gaps, broken automation, and license waste that no one notices until it's expensive to fix. This 10-point checklist covers everything a Salesforce admin should audit — and why each check matters.
Most Salesforce orgs were built incrementally — one project, one consultant, one admin at a time. Without periodic audits, the result is a system carrying years of unintended technical debt. Three reasons this compounds into real problems:
Every unused field, every inactive workflow, every duplicated permission set makes future changes harder. Orgs that skip annual audits spend 3× longer on projects 3 years later.
Permission creep happens gradually. A profile given Modify All for "a quick project" never gets cleaned up. Until it does, it's a data breach waiting to happen.
Wide objects with hundreds of unused fields slow page load. Unbounded SOQL in broken flows burns API limits. Users blame Salesforce when the real problem is org hygiene.
Work through these 10 areas systematically. Each includes what to look for and why it matters. Severity ratings reflect typical impact when the issue is present.
Salesforce objects accumulate custom fields from past projects, abandoned initiatives, and consultants who left. Fields that haven't stored data in 90+ days are dead weight — they slow page loads, confuse users with irrelevant inputs, and eat into field limits on older orgs.
Permission creep is the most dangerous and most common org health issue. A permission set granted "Modify All Data" to a sales rep for a one-week project — and never revoked — is a standing security vulnerability. Salesforce security audits start here.
Every inactive or erroring automation is a landmine. Flows that error silently fail data operations and leave records in inconsistent states. Legacy Workflow Rules that overlap with new Flows create ordering conflicts that are nearly impossible to debug without knowing both exist.
Custom objects created for integrations, one-off projects, or by contractors often persist long after their purpose has expired. An undocumented custom object with no description, no owner, and no linked flows is dead metadata taking up schema space — and a sign that your org governance is weak.
Runaway integrations can consume your daily API limit without anyone noticing — until everything breaks. Polling integrations (checking for changes every minute instead of using streaming) are especially wasteful. An API audit tells you which integrations are healthy and which are ticking time bombs.
Storage overages are expensive and operational emergencies when they hit. Most orgs that hit storage limits don't realize they're approaching them until they start getting "storage limit exceeded" errors. Proactive storage audits take 20 minutes and prevent a multi-thousand dollar crisis.
Salesforce licenses are expensive. Users who haven't logged in for 30+ days are either gone from the company (a security issue) or using Salesforce so rarely that a lighter license type would suffice. Either way, they're burning budget. License audits consistently surface 5–15% savings for mid-market orgs.
Sharing rules define which records users can see beyond their default OWD. Orgs with complex, overlapping sharing rules experience unpredictable data visibility issues and significant performance degradation when record-level operations recalculate shares. More than 50–100 active sharing rules is a warning sign.
Salesforce requires 75% test coverage to deploy. Many orgs game this threshold with minimal "it runs without throwing" tests rather than meaningful assertions. Gaps in real coverage mean that breaking changes to critical business logic deploy silently — until production data is corrupted.
Salesforce is moving away from Profile-heavy permission models toward Permission Sets and Permission Set Groups. Orgs still relying on 20+ custom Profiles carry long-term maintenance debt — every permission change requires editing multiple profiles instead of a single permission set. Salesforce announced plans to limit Profile capabilities in future releases.
Not ready to run a full manual audit? OrgPilot's free health check gives you a risk score and specific findings — no Salesforce login required.
Start Free Health Check →The honest answer: more often than you're doing it. Most admins audit annually (if at all). The orgs with the least tech debt run some version of a lightweight continuous check alongside an annual deep audit.
The continuous-vs-annual debate usually resolves to the same answer: both. A full manual audit is too slow to run monthly. But relying on an annual audit means problems compound for 11 months before anyone looks.
Lightweight automated health checks monthly (or on-demand after major releases), combined with a thorough manual audit once per year.
One thorough audit per year. Better than nothing — but leaves 11 months of unchecked drift between each cycle.
High-growth orgs — adding integrations, custom objects, or new business units frequently — should treat quarterly audits as the baseline, not the ceiling. Every quarter of unreviewed changes adds compounding cleanup effort to the annual audit.
60 seconds. No Salesforce credentials. AI-powered findings across the issues that matter most.
Start Free Health Check →